On Mon, Apr 08, 2019 at 09:49:37AM -0500, joshua stein wrote:
> psize is built from the first two bytes read from the device, but it
> could be completely bogus, especially when polling. This can result
> in a panic when reading p.
>
> Promote it to a signed int to catch it going negative and discard it
> if it's 2 or less, because shortly after it is decreased by 2 or 3.
>
ok stsp@
> Index: sys/dev/i2c/ihidev.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/i2c/ihidev.c,v
> retrieving revision 1.18
> diff -u -p -u -p -r1.18 ihidev.c
> --- sys/dev/i2c/ihidev.c 20 Sep 2018 01:19:56 -0000 1.18
> +++ sys/dev/i2c/ihidev.c 8 Apr 2019 14:42:53 -0000
> @@ -585,8 +585,7 @@ ihidev_intr(void *arg)
> {
> struct ihidev_softc *sc = arg;
> struct ihidev *scd;
> - u_int psize;
> - int res, i, fast = 0;
> + int psize, res, i, fast = 0;
> u_char *p;
> u_int rep = 0;
>
> @@ -605,7 +604,7 @@ ihidev_intr(void *arg)
> * than or equal to wMaxInputLength
> */
> psize = sc->sc_ibuf[0] | sc->sc_ibuf[1] << 8;
> - if (!psize || psize > sc->sc_isize) {
> + if (psize <= 2 || psize > sc->sc_isize) {
> if (sc->sc_poll) {
> /*
> * TODO: all fingers are up, should we pass to hid
>
